On April 4, 2022, Ontario became the first province in Canada to regulate online gambling, legalizing what was previously a grey market in this space. The following are five critical things to know about this new regime.
Dual Track Process. Any company that wishes to become an approved Operator of an online gaming site in Ontario must meet the separate requirements imposed by both (A) the Alcohol and Gaming Commission of Ontario (“AGCO”), the Regulator of Ontario’s regulated iGaming market, and (B) iGaming Ontario® (“iGO”), which is a subsidiary corporation of AGCO responsible for conducting and managing iGaming when provided through private Operators. Both of these entities have different responsibilities and impose specific requirements on prospective Operators. For example, as a first step, prospective Operators must sign a non-disclosure agreement with iGO to get a copy of the mandatory Operating Agreement and Letter of Agreement, followed by other mandatory operating requirements (i.e., completing anti-money laundering submissions, setting up secure data exchange services, etc.). At the same time, prospective Operators must undertake a parallel process with AGCO (i.e., seeking Independent Testing Laboratory (“ITL”) certification for the company’s online games and critical gaming systems, registering as an Internet Gaming Operator, implementing various control activities/measures in order to comply with the requirements of the Gaming Control Act, 1992 and the Registrar’s Standards for Internet Gaming, ensuring staff training, etc.). IGO’s website advises that Operators should expect a minimum of ninety (90) days to complete the steps required to become registered by the AGCO and execute an Operating Agreement with iGO, but there are no timing guarantees. Ultimately, approved iGaming Operators are listed on the igamingontario.ca website.
Detailed Regulations. The Registrar’s Standards for Internet Gaming (“Standards”) is a forty (40) plus page detailed document that sets out the Standards and Requirements made by the Registrar under the Gaming Control Act, 1992 applicable to regulated internet gaming sites in Ontario. These “Standards and Requirements” are divided into the six identified risk themes, under which theme-specific Standards and Requirements are provided. These risk themes include: (1) Entity Level; (2) Responsible Gambling; (3) Prohibiting Access to Designated Groups and Player Account Management; (4) Ensuring Game Integrity and Player Awareness; (5) Information Security and Protection of Assets; and (6) Minimizing Unlawful Activity Relating to Gaming. Each of the “themes” above contain further sub-subsections and requirements that impose detailed obligations upon Operators that must be translated into specific action items. (For example, “Entity Level” requirements including creating codes of conduct, creating and documenting formal control activities to achieve specific regulatory outcomes, implementing personnel screening processes, ensuring senior-level oversight, and audit requirements, just to name a few.)
Operators are also responsible for the actions of third parties with whom they contract for the provision of any aspect of the Operator’s business related to gaming in Ontario and must require the third party to conduct themselves on behalf of the Operator as if they were bound by the same laws, regulations and standards. There are very detailed requirements regarding responsible gambling, controls on marketing, advertising and promotional activities to avoid targeting high-risk, underage or self-excluded persons (individuals who wish to exclude themselves from gaming sites), ensuring that Operators provide assistance for players who may be experiencing harms from gaming is readily available and systematically provided, for example. No one said that AGCO is making it easy!
It’s not just about the Operators. It is worth noting that many of the detailed rules and regulations described above in the Standards apply not just to Operators but also to “gaming-related suppliers” (as defined under the Ontario Regulation 78/12 made under the Gaming Control Act, 1992). These include persons (entities) who manufacture, provide, install, test, maintain or repair gaming equipment or who provides consulting or similar services directly related to the playing of a lottery scheme or the operation of a gaming site. These entities must be registered with AGCO and, as noted above, must comply with many of the (flagged) requirements set out in the Standards. AGCO notes that various ancillary providers may fall into this category and require registration, including platform providers, suppliers that manufacture, develop, provide and/or run games and game systems, customer electronic wallet providers, odds makers, sports integrity monitoring organizations and independent test labs. Gaming-related suppliers also have very detailed requirements to meet pursuant to ACGO’s Internet Gaming Go-Live Compliance Guide available at https://www.agco.ca/lottery-and-gaming/guides/internet-gaming-go-live-compliance-guide.
There are no Canadian residency requirement or language requirements. Operators are not required to have a business established in Canada, and foreign companies can apply to become licensed Operators. Additionally, Operator websites are not required to be offered in the French language. However, as part of the customer service requirements set out in the Standards, player complaints and disputes must be resolved under Ontario and Canadian law.
Very detailed Information Technology, Security Management and Data Governance/Protection Standards. In order to validate minimum age and other requirements, Operators must collect detailed personal information from players which must be saved upon registration before a player account is created. This personal information includes name, date of birth, address, method of identification for subsequent log on (such as user name), player contact information, and information required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) and the regulations under it.
Not surprisingly, the Standards also contain detailed Information Technology requirements to ensure core assets (gaming equipment and systems, including hardware, software, applications, and all associated components of gaming equipment and the technology environment) are protected and that customer information and funds are adequately safeguarded. For example, Operators must ensure that access privileges to gaming systems are granted, modified and revoked based on employment status/job requirements and all activities associated with these actions are logged and traceable to specific individuals. Connections/interfaces to gaming systems must be monitored, hardened and assessed to protect against security threats and vulnerabilities and disaster recovery sites must be put in place.
Operators and gaming related suppliers have ongoing obligations to keep current on current security threats and risks to the security, integrity and availability of their gaming technology and related components that they operate or supply. All “Sensitive Data” (defined under the Standards as including, but not limited to, player information and data relevant to determining game outcomes), must be secured and protected from unauthorized access or use at all times and data must be backed up in a manner to ensure that it be completely and accurately restored. Data collection and protection requirements for player personal information must meet the requirements set out in Ontario’s Freedom of Information and Protection of Privacy Act, the provincial public sector statute that applies to AGCO.
The Standards also include detailed architecture and infrastructure, data and information management, and system account management requirements. There is also a separate set of minimum standards for software used in gaming systems (including modified commercial off the self software, proprietary developed software and software specifically developed by iGO or the Ontario Lottery and Gaming Commission) which reflect best practices for software development and ongoing management lifecycles, including testing, patching/upgrades, change management.
In addition to the Standards and as mentioned above, AGCO requires that any games and supporting critical gaming systems must be certified by an ITL that is registered with the AGCO before the systems are made available for play in Ontario. Within the AGCO, the Technology Regulation and iGaming Compliance Branch is responsible for ensuring that Operators and gaming-related suppliers meet specific go-live compliance measures as set out in AGCO’s Internet Gaming Go-Live Compliance Guide (see https://www.agco.ca/lottery-and-gaming/guides/internet-gaming-go-live-compliance-guide).
The Guide sets out in detail other technology requirements that must be met before the Operator can be approved, including the requirements for each operator and gaming-related supplier who runs critical gaming systems to (i) provide a Technology Compliance Confirmation for review by the AGCO; (ii) develop a Control Activity Matrix (“CAM”)and for operators to submit their CAMs for review by the AGCO; (iii) ensure that ITL certifications are in place before going live; and (iv) meet the requirements related to the AGCO Internet Gaming Notification Matrix and AGCO Secure Data Exchange.
While there is no question that many in Ontario welcome the idea of an online gaming market that will operate lawfully in Ontario (and generate new tax revenues for the Province’s coffers), it remains to be seen whether the initial strict and complex compliance requirements for such operators and gaming related suppliers imposed by ACGO and iGO will be sufficient to mitigate certain concerns, including those related to increased access to gaming and problematic gambling, or whether additional changes will be required.
Lisa R. Lifshitz